Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 13:24
Behavioral task
behavioral1
Sample
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Resource
win10v2004-20240226-en
General
-
Target
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
-
Size
775KB
-
MD5
66ef4802ece3a0d62cab8be7d6065c8d
-
SHA1
bf9bf0b3242ffb55726d8886480b23fc60b756c2
-
SHA256
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e
-
SHA512
84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c
-
SSDEEP
24576:+Csl9+OXLpMePfI8TgmBTCDqEbOpPtpFa8xfq:Y+OXLpMePfzVTCD7gPtLaUfq
Malware Config
Extracted
C:\Users\Admin\Desktop\l0GqT_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\l0GqT_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012250-593.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2632 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2632 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2632 wmic.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1448 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\B: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\G: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\H: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\K: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\P: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\Z: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\E: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\I: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\M: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\Q: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\R: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\T: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\Y: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\F: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\L: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\U: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\J: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\N: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\O: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\S: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\V: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\W: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe File opened (read-only) \??\X: 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1020 vssadmin.exe 1456 vssadmin.exe 1992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2376 wmic.exe Token: SeSecurityPrivilege 2376 wmic.exe Token: SeTakeOwnershipPrivilege 2376 wmic.exe Token: SeLoadDriverPrivilege 2376 wmic.exe Token: SeSystemProfilePrivilege 2376 wmic.exe Token: SeSystemtimePrivilege 2376 wmic.exe Token: SeProfSingleProcessPrivilege 2376 wmic.exe Token: SeIncBasePriorityPrivilege 2376 wmic.exe Token: SeCreatePagefilePrivilege 2376 wmic.exe Token: SeBackupPrivilege 2376 wmic.exe Token: SeRestorePrivilege 2376 wmic.exe Token: SeShutdownPrivilege 2376 wmic.exe Token: SeDebugPrivilege 2376 wmic.exe Token: SeSystemEnvironmentPrivilege 2376 wmic.exe Token: SeRemoteShutdownPrivilege 2376 wmic.exe Token: SeUndockPrivilege 2376 wmic.exe Token: SeManageVolumePrivilege 2376 wmic.exe Token: 33 2376 wmic.exe Token: 34 2376 wmic.exe Token: 35 2376 wmic.exe Token: SeIncreaseQuotaPrivilege 2524 wmic.exe Token: SeSecurityPrivilege 2524 wmic.exe Token: SeTakeOwnershipPrivilege 2524 wmic.exe Token: SeLoadDriverPrivilege 2524 wmic.exe Token: SeSystemProfilePrivilege 2524 wmic.exe Token: SeSystemtimePrivilege 2524 wmic.exe Token: SeProfSingleProcessPrivilege 2524 wmic.exe Token: SeIncBasePriorityPrivilege 2524 wmic.exe Token: SeCreatePagefilePrivilege 2524 wmic.exe Token: SeBackupPrivilege 2524 wmic.exe Token: SeRestorePrivilege 2524 wmic.exe Token: SeShutdownPrivilege 2524 wmic.exe Token: SeDebugPrivilege 2524 wmic.exe Token: SeSystemEnvironmentPrivilege 2524 wmic.exe Token: SeRemoteShutdownPrivilege 2524 wmic.exe Token: SeUndockPrivilege 2524 wmic.exe Token: SeManageVolumePrivilege 2524 wmic.exe Token: 33 2524 wmic.exe Token: 34 2524 wmic.exe Token: 35 2524 wmic.exe Token: SeIncreaseQuotaPrivilege 2556 wmic.exe Token: SeSecurityPrivilege 2556 wmic.exe Token: SeTakeOwnershipPrivilege 2556 wmic.exe Token: SeLoadDriverPrivilege 2556 wmic.exe Token: SeSystemProfilePrivilege 2556 wmic.exe Token: SeSystemtimePrivilege 2556 wmic.exe Token: SeProfSingleProcessPrivilege 2556 wmic.exe Token: SeIncBasePriorityPrivilege 2556 wmic.exe Token: SeCreatePagefilePrivilege 2556 wmic.exe Token: SeBackupPrivilege 2556 wmic.exe Token: SeRestorePrivilege 2556 wmic.exe Token: SeShutdownPrivilege 2556 wmic.exe Token: SeDebugPrivilege 2556 wmic.exe Token: SeSystemEnvironmentPrivilege 2556 wmic.exe Token: SeRemoteShutdownPrivilege 2556 wmic.exe Token: SeUndockPrivilege 2556 wmic.exe Token: SeManageVolumePrivilege 2556 wmic.exe Token: 33 2556 wmic.exe Token: 34 2556 wmic.exe Token: 35 2556 wmic.exe Token: SeIncreaseQuotaPrivilege 2524 wmic.exe Token: SeSecurityPrivilege 2524 wmic.exe Token: SeTakeOwnershipPrivilege 2524 wmic.exe Token: SeLoadDriverPrivilege 2524 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2364 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 35 PID 1876 wrote to memory of 2364 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 35 PID 1876 wrote to memory of 2364 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 35 PID 1876 wrote to memory of 2364 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 35 PID 1876 wrote to memory of 1020 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 40 PID 1876 wrote to memory of 1020 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 40 PID 1876 wrote to memory of 1020 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 40 PID 1876 wrote to memory of 1020 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 40 PID 1876 wrote to memory of 1408 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 42 PID 1876 wrote to memory of 1408 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 42 PID 1876 wrote to memory of 1408 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 42 PID 1876 wrote to memory of 1408 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 42 PID 1876 wrote to memory of 1456 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 44 PID 1876 wrote to memory of 1456 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 44 PID 1876 wrote to memory of 1456 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 44 PID 1876 wrote to memory of 1456 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 44 PID 1876 wrote to memory of 2796 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 46 PID 1876 wrote to memory of 2796 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 46 PID 1876 wrote to memory of 2796 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 46 PID 1876 wrote to memory of 2796 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 46 PID 1876 wrote to memory of 1992 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 48 PID 1876 wrote to memory of 1992 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 48 PID 1876 wrote to memory of 1992 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 48 PID 1876 wrote to memory of 1992 1876 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe 48 PID 1456 wrote to memory of 1448 1456 taskeng.exe 54 PID 1456 wrote to memory of 1448 1456 taskeng.exe 54 PID 1456 wrote to memory of 1448 1456 taskeng.exe 54 PID 1456 wrote to memory of 1448 1456 taskeng.exe 54 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe"C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2364
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1020
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:1408
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1456
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2796
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1992
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1356
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EC3AC4E-BAB1-4FFB-BDE3-4F9A68D81BEB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe2⤵
- Executes dropped EXE
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Filesize775KB
MD566ef4802ece3a0d62cab8be7d6065c8d
SHA1bf9bf0b3242ffb55726d8886480b23fc60b756c2
SHA25633d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e
SHA51284f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c
-
Filesize
3KB
MD52250d14138abc188771890a81cf536cd
SHA1295d29fa7489b4a3f536339fefd73eafc91d2fe2
SHA25669a1acc4211c5a74cede07a6a89169bd3bd1617fee5fadebd643ab98e1ab2db1
SHA5128140e4beafe7c0149b080c4cdf7354329c02d52991852dbd3a182b041b0225dcc29619eac68d0eba2bf977b1e4c2ee99fa44dbf953e40a8a2244201c37559f31
-
Filesize
3KB
MD54715ea2453c07e61851a5d2038b41584
SHA16451b6166634b4a7e4bc2b5cebb4d760081674fd
SHA256597ead2e955df992731d8a3763bde793c5b7f5dd9acd473458c93ef53ac8bb50
SHA512e849e16da9b72f9061b9604e322fe506c1000bfdbe679e9f3d5fa67558659d835c6d6d8d8f766a1283530c6cc7b444a9cb57a58e06029e8fa23761a34d7d4fa3